ruby-net-ldap 0.0.1

data/lib/net/ldap/pdu.rb

@@ -0,0 +1,155 @@
+# $Id: pdu.rb 85 2006-04-30 16:31:08Z blackhedd $
+#
+# LDAP PDU support classes
+#
+#
+#----------------------------------------------------------------------------
+#
+# Copyright (C) 2006 by Francis Cianfrocca. All Rights Reserved.
+#
+# Gmail: garbagecat10
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#
+#---------------------------------------------------------------------------
+#
+
+
+
+module Net
+
+
+class LdapPduError < Exception; end
+
+
+class LdapPdu
+
+  BindResult = 1
+  SearchReturnedData = 4
+  SearchResult = 5
+  ModifyResponse = 7
+  AddResponse = 9
+  DeleteResponse = 11
+  ModifyRDNResponse = 13
+
+  attr_reader :msg_id, :app_tag
+  attr_reader :search_dn, :search_attributes, :search_entry
+
+  #
+  # initialize
+  # An LDAP PDU always looks like a BerSequence with
+  # two elements: an integer (message-id number), and
+  # an application-specific sequence.
+  # The application-specific tag in the sequence tells
+  # us what kind of packet it is, and each kind has its
+  # own format, defined in RFC-1777.
+  # Observe that many clients (such as ldapsearch)
+  # do not necessarily enforce the expected application
+  # tags on received protocol packets. This implementation
+  # does interpret the RFC strictly in this regard, and
+  # it remains to be seen whether there are servers out
+  # there that will not work well with our approach.
+  #
+  def initialize ber_object
+    begin
+      @msg_id = ber_object[0].to_i
+      @app_tag = ber_object[1].ber_identifier - 0x60
+    rescue
+      # any error becomes a data-format error
+      raise LdapPduError.new( "ldap-pdu format error" )
+    end
+
+    case @app_tag
+    when BindResult
+      parse_ldap_result ber_object[1]
+    when SearchReturnedData
+      parse_search_return ber_object[1]
+    when SearchResult
+      parse_ldap_result ber_object[1]
+    when ModifyResponse
+      parse_ldap_result ber_object[1]
+    when AddResponse
+      parse_ldap_result ber_object[1]
+    when DeleteResponse
+      parse_ldap_result ber_object[1]
+    when ModifyRDNResponse
+      parse_ldap_result ber_object[1]
+    else
+      raise LdapPduError.new( "unknown pdu-type: #{@app_tag}" )
+    end
+  end
+
+  #
+  # result_code
+  # This returns an LDAP result code taken from the PDU,
+  # but it will be nil if there wasn't a result code.
+  # That can easily happen depending on the type of packet.
+  #
+  def result_code code = :resultCode
+    @ldap_result and @ldap_result[code]
+  end
+
+
+  private
+
+  #
+  # parse_ldap_result
+  #
+  def parse_ldap_result sequence
+    sequence.length >= 3 or raise LdapPduError
+    @ldap_result = {:resultCode => sequence[0], :matchedDN => sequence[1], :errorMessage => sequence[2]}
+  end
+
+  #
+  # parse_search_return
+  # Definition from RFC 1777 (we're handling application-4 here)
+  #
+  # Search Response ::=
+  #    CHOICE {
+  #         entry          [APPLICATION 4] SEQUENCE {
+  #                             objectName     LDAPDN,
+  #                             attributes     SEQUENCE OF SEQUENCE {
+  #                                                 AttributeType,
+  #                                                 SET OF AttributeValue
+  #                                            }
+  #                        },
+  #         resultCode     [APPLICATION 5] LDAPResult
+  #     }
+  #
+  # We concoct a search response that is a hash of the returned attribute values.
+  # NOW OBSERVE CAREFULLY: WE ARE DOWNCASING THE RETURNED ATTRIBUTE NAMES.
+  # This is to make them more predictable for user programs, but it
+  # may not be a good idea. Maybe this should be configurable.
+  # ALTERNATE IMPLEMENTATION: In addition to @search_dn and @search_attributes,
+  # we also return @search_entry, which is an LDAP::Entry object.
+  # If that works out well, then we'll remove the first two.
+  #
+  def parse_search_return sequence
+    sequence.length >= 2 or raise LdapPduError
+    @search_entry = LDAP::Entry.new( sequence[0] )
+    @search_dn = sequence[0]
+    @search_attributes = {}
+    sequence[1].each {|seq|
+      @search_entry[seq[0]] = seq[1]
+      @search_attributes[seq[0].downcase.intern] = seq[1]
+    }
+  end
+
+
+end
+
+
+end # module Net
+

data/lib/net/ldap/psw.rb

@@ -0,0 +1,64 @@
+# $Id: psw.rb 73 2006-04-24 21:59:35Z blackhedd $
+#
+#
+#----------------------------------------------------------------------------
+#
+# Copyright (C) 2006 by Francis Cianfrocca. All Rights Reserved.
+#
+# Gmail: garbagecat10
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#
+#---------------------------------------------------------------------------
+#
+#
+
+
+module Net
+class LDAP
+
+
+class Password
+  class << self
+
+  # Generate a password-hash suitable for inclusion in an LDAP attribute.
+  # Pass a hash type (currently supported: :md5 and :sha) and a plaintext
+  # password. This function will return a hashed representation.
+  # STUB: This is here to fulfill the requirements of an RFC, which one?
+  # TODO, gotta do salted-sha and (maybe) salted-md5.
+  # Should we provide sha1 as a synonym for sha1? I vote no because then
+  # should you also provide ssha1 for symmetry?
+  def generate( type, str )
+    case type
+    when :md5
+      require 'md5'
+      "{MD5}#{ [MD5.new( str.to_s ).digest].pack("m").chomp }"
+    when :sha
+      require 'sha1'
+      "{SHA}#{ [SHA1.new( str.to_s ).digest].pack("m").chomp }"
+    # when ssha
+    else
+      raise Net::LDAP::LdapError.new( "unsupported password-hash type (#{type})" )
+    end
+  end
+
+  end
+end
+
+
+end # class LDAP
+end # module Net
+
+

data/lib/net/ldif.rb

@@ -0,0 +1,39 @@
+# $Id: ldif.rb 78 2006-04-26 02:57:34Z blackhedd $
+#
+# Net::LDIF for Ruby
+#
+#
+#
+# Copyright (C) 2006 by Francis Cianfrocca. All Rights Reserved.
+#
+# Gmail: garbagecat10
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#
+#
+
+# THIS FILE IS A STUB.
+
+module Net
+
+  class LDIF
+
+
+  end # class LDIF
+
+
+end # module Net
+
+

data/tests/testber.rb

@@ -0,0 +1,42 @@
+# $Id: testber.rb 57 2006-04-18 00:18:48Z blackhedd $
+#
+#
+
+
+$:.unshift "lib"
+
+require 'net/ldap'
+require 'stringio'
+
+
+class TestBer < Test::Unit::TestCase
+
+  def setup
+  end
+
+  # TODO: Add some much bigger numbers
+  # 5000000000 is a Bignum, which hits different code.
+  def test_ber_integers
+    assert_equal( "\002\001\005", 5.to_ber )
+    assert_equal( "\002\002\203t", 500.to_ber )
+    assert_equal( "\002\003\203\206P", 50000.to_ber )
+    assert_equal( "\002\005\222\320\227\344\000", 5000000000.to_ber )
+  end
+
+  def test_ber_parsing
+    assert_equal( 6, "\002\001\006".read_ber( Net::LDAP::AsnSyntax ))
+    assert_equal( "testing", "\004\007testing".read_ber( Net::LDAP::AsnSyntax ))
+  end
+
+
+  def test_ber_parser_on_ldap_bind_request
+    s = StringIO.new "0$\002\001\001`\037\002\001\003\004\rAdministrator\200\vad_is_bogus"
+    assert_equal( [1, [3, "Administrator", "ad_is_bogus"]], s.read_ber( Net::LDAP::AsnSyntax ))
+  end
+
+
+
+
+end
+
+

data/tests/testdata.ldif

@@ -0,0 +1,101 @@
+# $Id: testdata.ldif 50 2006-04-17 17:57:33Z blackhedd $
+#
+# This is test-data for an LDAP server in LDIF format.
+#
+dn: dc=bayshorenetworks,dc=com
+objectClass: dcObject
+objectClass: organization
+o: Bayshore Networks LLC
+dc: bayshorenetworks
+
+dn: cn=Manager,dc=bayshorenetworks,dc=com
+objectClass: organizationalrole
+cn: Manager
+
+dn: ou=people,dc=bayshorenetworks,dc=com
+objectClass: organizationalunit
+ou: people
+
+dn: ou=privileges,dc=bayshorenetworks,dc=com
+objectClass: organizationalunit
+ou: privileges
+
+dn: ou=roles,dc=bayshorenetworks,dc=com
+objectClass: organizationalunit
+ou: roles
+
+dn: ou=office,dc=bayshorenetworks,dc=com
+objectClass: organizationalunit
+ou: office
+
+dn: mail=nogoodnik@steamheat.net,ou=people,dc=bayshorenetworks,dc=com
+cn: Bob Fosse
+mail: nogoodnik@steamheat.net
+sn: Fosse
+ou: people
+objectClass: top
+objectClass: inetorgperson
+objectClass: authorizedperson
+hasAccessRole: uniqueIdentifier=engineer,ou=roles
+hasAccessRole: uniqueIdentifier=ldapadmin,ou=roles
+hasAccessRole: uniqueIdentifier=ldapsuperadmin,ou=roles
+hasAccessRole: uniqueIdentifier=ogilvy_elephant_user,ou=roles
+hasAccessRole: uniqueIdentifier=ogilvy_eagle_user,ou=roles
+hasAccessRole: uniqueIdentifier=greenplug_user,ou=roles
+hasAccessRole: uniqueIdentifier=brandplace_logging_user,ou=roles
+hasAccessRole: uniqueIdentifier=brandplace_report_user,ou=roles
+hasAccessRole: uniqueIdentifier=workorder_user,ou=roles
+hasAccessRole: uniqueIdentifier=bayshore_eagle_user,ou=roles
+hasAccessRole: uniqueIdentifier=bayshore_eagle_superuser,ou=roles
+hasAccessRole: uniqueIdentifier=kledaras_user,ou=roles
+
+dn: mail=elephant@steamheat.net,ou=people,dc=bayshorenetworks,dc=com
+cn: Gwen Verdon
+mail: elephant@steamheat.net
+sn: Verdon
+ou: people
+objectClass: top
+objectClass: inetorgperson
+objectClass: authorizedperson
+hasAccessRole: uniqueIdentifier=brandplace_report_user,ou=roles
+hasAccessRole: uniqueIdentifier=engineer,ou=roles
+hasAccessRole: uniqueIdentifier=ogilvy_elephant_user,ou=roles
+hasAccessRole: uniqueIdentifier=ldapsuperadmin,ou=roles
+hasAccessRole: uniqueIdentifier=ldapadmin,ou=roles
+
+dn: uniqueIdentifier=engineering,ou=privileges,dc=bayshorenetworks,dc=com
+uniqueIdentifier: engineering
+ou: privileges
+objectClass: accessPrivilege
+
+dn: uniqueIdentifier=engineer,ou=roles,dc=bayshorenetworks,dc=com
+uniqueIdentifier: engineer
+ou: roles
+objectClass: accessRole
+hasAccessPrivilege: uniqueIdentifier=engineering,ou=privileges
+
+dn: uniqueIdentifier=ldapadmin,ou=roles,dc=bayshorenetworks,dc=com
+uniqueIdentifier: ldapadmin
+ou: roles
+objectClass: accessRole
+
+dn: uniqueIdentifier=ldapsuperadmin,ou=roles,dc=bayshorenetworks,dc=com
+uniqueIdentifier: ldapsuperadmin
+ou: roles
+objectClass: accessRole
+
+dn: mail=catperson@steamheat.net,ou=people,dc=bayshorenetworks,dc=com
+cn: Sid Sorokin
+mail: catperson@steamheat.net
+sn: Sorokin
+ou: people
+objectClass: top
+objectClass: inetorgperson
+objectClass: authorizedperson
+hasAccessRole: uniqueIdentifier=engineer,ou=roles
+hasAccessRole: uniqueIdentifier=ogilvy_elephant_user,ou=roles
+hasAccessRole: uniqueIdentifier=ldapsuperadmin,ou=roles
+hasAccessRole: uniqueIdentifier=ogilvy_eagle_user,ou=roles
+hasAccessRole: uniqueIdentifier=greenplug_user,ou=roles
+hasAccessRole: uniqueIdentifier=workorder_user,ou=roles
+

data/tests/testem.rb

@@ -0,0 +1,11 @@
+# $Id: testem.rb 72 2006-04-24 21:58:14Z blackhedd $
+#
+#
+
+require 'test/unit'
+require 'tests/testber'
+require 'tests/testldif'
+require 'tests/testldap'
+require 'tests/testpsw'
+
+

data/tests/testldap.rb

@@ -0,0 +1,190 @@
+# $Id: testldap.rb 65 2006-04-23 01:17:49Z blackhedd $
+#
+#
+
+
+$:.unshift "lib"
+
+require 'test/unit'
+
+require 'net/ldap'
+require 'stringio'
+
+
+class TestLdapClient < Test::Unit::TestCase
+
+  # TODO: these tests crash and burn if the associated
+  # LDAP testserver isn't up and running.
+  # We rely on being able to read a file with test data
+  # in LDIF format.
+  # TODO, WARNING: for the moment, this data is in a file
+  # whose name and location are HARDCODED into the
+  # instance method load_test_data.
+
+  def setup
+    @host = "127.0.0.1"
+    @port = 3890
+    @auth = {
+      :method => :simple,
+      :username => "cn=bigshot,dc=bayshorenetworks,dc=com",
+      :password => "opensesame"
+    }
+
+    @ldif = load_test_data
+  end
+
+
+
+  # Get some test data which will be used to validate
+  # the responses from the test LDAP server we will
+  # connect to.
+  # TODO, Bogus: we are HARDCODING the location of the file for now.
+  #
+  def load_test_data
+    ary = File.readlines( "tests/testdata.ldif" )
+    hash = {}
+    while line = ary.shift and line.chomp!
+      if line =~ /^dn:[\s]*/i
+        dn = $'
+        hash[dn] = {}
+        while attr = ary.shift and attr.chomp! and attr =~ /^([\w]+)[\s]*:[\s]*/
+          hash[dn][$1.downcase.intern] ||= []
+          hash[dn][$1.downcase.intern] << $'
+        end
+      end
+    end
+    hash
+  end
+
+
+
+  # Binding tests.
+  # Need tests for all kinds of network failures and incorrect auth.
+  # TODO: Implement a class-level timeout for operations like bind.
+  # Search has a timeout defined at the protocol level, other ops do not.
+  # TODO, use constants for the LDAP result codes, rather than hardcoding them.
+  def test_bind
+    ldap = Net::LDAP.new :host => @host, :port => @port, :auth => @auth
+    assert_equal( true, ldap.bind )
+    assert_equal( 0, ldap.get_operation_result.code )
+    assert_equal( "Success", ldap.get_operation_result.message )
+
+    bad_username = @auth.merge( {:username => "cn=badguy,dc=imposters,dc=com"} )
+    ldap = Net::LDAP.new :host => @host, :port => @port, :auth => bad_username
+    assert_equal( false, ldap.bind )
+    assert_equal( 48, ldap.get_operation_result.code )
+    assert_equal( "Inappropriate Authentication", ldap.get_operation_result.message )
+
+    bad_password = @auth.merge( {:password => "cornhusk"} )
+    ldap = Net::LDAP.new :host => @host, :port => @port, :auth => bad_password
+    assert_equal( false, ldap.bind )
+    assert_equal( 49, ldap.get_operation_result.code )
+    assert_equal( "Invalid Credentials", ldap.get_operation_result.message )
+  end
+
+
+
+  def test_search
+    ldap = Net::LDAP.new :host => @host, :port => @port, :auth => @auth
+
+    search = {:base => "dc=smalldomain,dc=com"}
+    assert_equal( false, ldap.search( search ))
+    assert_equal( 32, ldap.get_operation_result.code )
+    
+    search = {:base => "dc=bayshorenetworks,dc=com"}
+    assert_equal( true, ldap.search( search ))
+    assert_equal( 0, ldap.get_operation_result.code )
+    
+    ldap.search( search ) {|res|
+      assert_equal( res, @ldif )
+    }
+  end
+    
+
+
+
+  # This is a helper routine for test_search_attributes.
+  def internal_test_search_attributes attrs_to_search
+    ldap = Net::LDAP.new :host => @host, :port => @port, :auth => @auth
+    assert( ldap.bind )
+
+    search = {
+      :base => "dc=bayshorenetworks,dc=com",
+      :attributes => attrs_to_search
+    }
+
+    ldif = @ldif
+    ldif.each {|dn,entry|
+      entry.delete_if {|attr,value|
+        ! attrs_to_search.include?(attr)
+      }
+    }
+  
+    assert_equal( true, ldap.search( search ))
+    ldap.search( search ) {|res|
+      res_keys = res.keys.sort
+      ldif_keys = ldif.keys.sort
+      assert( res_keys, ldif_keys )
+      res.keys.each {|rk|
+        assert( res[rk], ldif[rk] )
+      }
+    }
+  end
+
+
+  def test_search_attributes
+    internal_test_search_attributes [:mail]
+    internal_test_search_attributes [:cn]
+    internal_test_search_attributes [:ou]
+    internal_test_search_attributes [:hasaccessprivilege]
+    internal_test_search_attributes ["mail"]
+    internal_test_search_attributes ["cn"]
+    internal_test_search_attributes ["ou"]
+    internal_test_search_attributes ["hasaccessrole"]
+
+    internal_test_search_attributes [:mail, :cn, :ou, :hasaccessrole]
+    internal_test_search_attributes [:mail, "cn", :ou, "hasaccessrole"]
+  end
+
+
+  def test_search_filters
+    ldap = Net::LDAP.new :host => @host, :port => @port, :auth => @auth
+    search = {
+      :base => "dc=bayshorenetworks,dc=com",
+      :filter => Net::LDAP::Filter.eq( "sn", "Fosse" )
+    }
+
+    ldap.search( search ) {|res|
+      p res
+    }
+  end
+
+
+
+  def test_open
+    ldap = Net::LDAP.new :host => @host, :port => @port, :auth => @auth
+    ldap.open {|ldap|
+      10.times {
+        rc = ldap.search( :base => "dc=bayshorenetworks,dc=com" )
+        assert_equal( true, rc )
+      }
+    }
+  end
+
+
+  def test_ldap_open
+    Net::LDAP.open( :host => @host, :port => @port, :auth => @auth ) {|ldap|
+      10.times {
+        rc = ldap.search( :base => "dc=bayshorenetworks,dc=com" )
+        assert_equal( true, rc )
+      }
+    }
+  end
+
+
+
+
+
+end
+
+